Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
28-02-2021 07:08
Static task
static1
Behavioral task
behavioral1
Sample
07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe
Resource
win10v20201028
General
-
Target
07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe
-
Size
78KB
-
MD5
ec1f806b2ca57c3c03be303890c6fd65
-
SHA1
7d48e0cb19d60dfe2a3a04aef63c57482a024c97
-
SHA256
07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8
-
SHA512
78d31f7738d47a65952ee6315f4a3ab25f35d47eed4b4832fbfe890c1b286dca1ae42dc9721b5ffa6a0ff3c0576bf621964d384d977b2851433e20538b57f0d6
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmp2D11.tmp.exepid process 708 tmp2D11.tmp.exe -
Deletes itself 1 IoCs
Processes:
tmp2D11.tmp.exepid process 708 tmp2D11.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp2D11.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_perf2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\mscordbi.exe\"" tmp2D11.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exetmp2D11.tmp.exedescription pid process Token: SeDebugPrivilege 4684 07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe Token: SeDebugPrivilege 708 tmp2D11.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exevbc.exedescription pid process target process PID 4684 wrote to memory of 992 4684 07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe vbc.exe PID 4684 wrote to memory of 992 4684 07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe vbc.exe PID 4684 wrote to memory of 992 4684 07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe vbc.exe PID 992 wrote to memory of 3676 992 vbc.exe cvtres.exe PID 992 wrote to memory of 3676 992 vbc.exe cvtres.exe PID 992 wrote to memory of 3676 992 vbc.exe cvtres.exe PID 4684 wrote to memory of 708 4684 07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe tmp2D11.tmp.exe PID 4684 wrote to memory of 708 4684 07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe tmp2D11.tmp.exe PID 4684 wrote to memory of 708 4684 07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe tmp2D11.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe"C:\Users\Admin\AppData\Local\Temp\07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\smhk2iid.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E49.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5573FE4A52444FFBB16DCE4035DE28F1.TMP"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp2D11.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2D11.tmp.exe" C:\Users\Admin\AppData\Local\Temp\07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES2E49.tmpMD5
c09e203206ba845940382aeffc897118
SHA1cf026b3f1981684991a4519565d34e7b42d887a4
SHA25610e1262ee5aa72d5f21358764cfcdc9c5f35fc294805148715110e5adc48a1ad
SHA512246128887850e6d55ce9789d1a78741a8b0d8798633ccebbe1119594abf8afcdb8d27bb93c7cd942300fe99175b20a3862bc731af38148f96af8993b229a1f7f
-
C:\Users\Admin\AppData\Local\Temp\smhk2iid.0.vbMD5
f034b63bf17fa1090878e95a1032f40e
SHA154e1461012d708625730172a44a77147309929e9
SHA256e72f4d04bae919618969bb1e91a0eeefcf250dc4da3691b37984753698580689
SHA512331dd62c779b4ae69f4c4a180ed3233f182922c1cd3eb808c0fdd9c9e08d58fc8aec4ad6d26e799e1e7f6098ec5cc89c458e561ca3fb5ea9db455e67b9d69dee
-
C:\Users\Admin\AppData\Local\Temp\smhk2iid.cmdlineMD5
54e1a05dfb5f8dbb935f1bba9e01db04
SHA17d144d1b3bf1e2070fe941374bedf90259c08289
SHA256ab2a5f4ec5c29c03f0da65258c4a6f504381cc99e35226afa4b18ce5e83bdcba
SHA512571eb5e790485984bc481fe5e9acfe62b0ae5408e2bf605a6fa719b01a2352b0ab2f4860d8cbe90895f222c3c537acddabdb2f06e807b9c4712f62d713d42d5b
-
C:\Users\Admin\AppData\Local\Temp\tmp2D11.tmp.exeMD5
8ff924d3f855014eacbeb1c2aec2b6e1
SHA13e785481ab8c5baf634b2b7a5dcb5b9a2b4cea5f
SHA256661d9d5ee97a3cb8f55d29e78c154bfda41907ea11f70719bda3e1da11337ae8
SHA512eeb7268c2c69e380ee30bbaa4f162da4fd9fd6662b2e66db5f738fba2b0c6dc9e998d2bc5a502c5b9573bd436b7abdd70440ce666d41b2e0f377722bfca695cf
-
C:\Users\Admin\AppData\Local\Temp\tmp2D11.tmp.exeMD5
8ff924d3f855014eacbeb1c2aec2b6e1
SHA13e785481ab8c5baf634b2b7a5dcb5b9a2b4cea5f
SHA256661d9d5ee97a3cb8f55d29e78c154bfda41907ea11f70719bda3e1da11337ae8
SHA512eeb7268c2c69e380ee30bbaa4f162da4fd9fd6662b2e66db5f738fba2b0c6dc9e998d2bc5a502c5b9573bd436b7abdd70440ce666d41b2e0f377722bfca695cf
-
C:\Users\Admin\AppData\Local\Temp\vbc5573FE4A52444FFBB16DCE4035DE28F1.TMPMD5
2f454a42c9e2b76ecae9f901856bf246
SHA12c17770304e8104320d29d0fe768986309464e82
SHA2561ecc8e3c958ebe0e654c1590c6947e4a0ce20ec97144c8f3292408b10ea4c5c9
SHA5128d44d2eeaad937bd3ec4078a31ed7fd818d3f840dd9bffc7d2ec964207597e1a7c07fcb8a1e6123cda722357a2fce02b40892a41de44e456d0fcc113f34a786d
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesMD5
097dd7d3902f824a3960ad33401b539f
SHA14e5c80de6a0886a8b02592a0c980b2bc2d9a4a8f
SHA256e2eb52524ddfed5e52a54484b3fecdc9ebe24fb141d1445d37c99c0ab615df4f
SHA512bb77c3f7b9b8c461b149f540a0dab99fdde474484b046d663228d8c0f1b6a20b72892643935069dd74134c8ab8e8f26b6badc210a6929a737541b9861007fbe4
-
memory/708-12-0x0000000000000000-mapping.dmp
-
memory/708-14-0x0000000002F20000-0x0000000002F21000-memory.dmpFilesize
4KB
-
memory/708-15-0x0000000002F23000-0x0000000002F25000-memory.dmpFilesize
8KB
-
memory/992-11-0x0000000002350000-0x0000000002351000-memory.dmpFilesize
4KB
-
memory/992-3-0x0000000000000000-mapping.dmp
-
memory/3676-7-0x0000000000000000-mapping.dmp
-
memory/4684-2-0x0000000002720000-0x0000000002721000-memory.dmpFilesize
4KB